Security in the smart home: considerations for device makers
When people think of home security they usually think of an alarm system with a keypad next to the door. These days, however, home security should have two meanings. I’m here to talk about the second: cybersecurity. In other words, security in the smart home.To get more news about smart home security products, you can visit securamsys.com official website.
A recent investigation found that a shocking number of leading smart home devices contained outdated SSL libraries. An outdated SSL could leave the door open for malicious actors to listen in on network traffic. In the smart home context, that traffic could include extremely personal information such as when you’re at home or away. This kind of security threat is far from being the only one; consumer device security breaches are consistently in the news. Clearly, this is a significant issue.
Cybersecurity in the consumer space
Cybersecurity has long been a weak point for the smart home industry. Typically, smart home devices are made on a tight budget and a fast development cycle. This doesn’t leave a lot of room for “extras” like security. What’s more, these devices aren’t being used in safety-critical or high-value environments. The consequences of a smart toaster being compromised don’t begin to compare to the consequences of a factory robot being compromised. These facts have led to a certain complacency in the industry.
While the industry may have gotten away with some complacency until today, the consequences of poor cybersecurity in the smart home are much higher today than they were ten years ago.
Big data = personal data
The amount of data generated by the typical smart home today is orders of magnitude larger than it was five or ten years ago. Most smart homes these days have multiple microphones and cameras on the inside of the home, something that would have been unthinkable in the 2000s. Additionally, many devices contain a variety of cloud services and applications, each with their own associated data sets.
This data enables some of the most advanced functionality we’ve seen in the smart home to date. Take ambient computing as an example of the possibilities offered by a large set of data from interoperable devices. Unfortunately, this data is also the reason that smart home cybersecurity matters now more than ever. A compromised smart home opens up a world of possibilities for bad actors – it could lead to identity theft, devices becoming part of botnets, or leaking of private information such as videos from inside the home.
How companies should respond
The problem may be widespread, but the good news is that companies operating in this space can very easily avoid making their devices a soft target for attackers. Companies should apply regular updates to their application and OS and should ensure that devices are properly isolated.
Robust and regular over-the-air updates
The first step towards having secure devices is having a robust update policy. Many devices in today’s smart homes do not receive updates without manual intervention by the end user. Realistically, that means they do not receive updates at all. This leaves the door open to an unknowable number of future threats.
Both application and OS updates are important here. Application vulnerabilities will be specific to each device, and it is up to the device maker to find and solve potential vulnerabilities to this software. Patches to OS vulnerabilities, on the other hand, will need to come from the maintainer of the operating system. In the case of Ubuntu and Ubuntu Core, Canonical can provide security maintenance and a number of other services.
Isolated systems
A second measure companies can take to protect their devices, especially in newer-generation devices that potentially run many applications and services, is to ensure that each of these applications is fully isolated so that vulnerabilities cannot spread. Ubuntu Core, for example, enforces this isolation system-wide, removing any such security threat.
With enough time and resources, attackers can likely access any system. Most likely, they will try to exploit the low-hanging fruit. The key for businesses in this space is to make the cost of attacking their devices higher than the benefit to attackers.